\\jciprod01\productn\G\GWN\83-6\GWN614.txt unknown Seq: 1 5-JAN-16 12:13 The Scope and Potential of FTC Data Protection Woodrow Hartzog* and Daniel J. Solove** ABSTRACT For more than fifteen years, the FTC has regulated privacy and data se- curity through its authority to police deceptive and unfair trade practices as well as through powers conferred by specific statutes and international agree- ments. Recently, the FTC’s powers for data protection have been challenged by Wyndham Worldwide Corp. and LabMD. These recent cases raise a fun- damental issue, and one that has surprisingly not been well explored: How broad are the FTC’s privacy and data security regulatory powers? How broad should they be? In this Article, we address the issue of the scope of FTC authority in the areas of privacy and data security, which together we will refer to as “data protection.” We argue that the FTC not only has the authority to regulate data protection to the extent it has been doing, but that its granted jurisdiction can expand its reach much more. Normatively, we argue that the FTC’s current scope of data protection authority is essential to the United States data protec- tion regime and should be fully embraced to respond to the privacy harms unaddressed by existing remedies available in tort or contract, or by various statutes. In contrast to the legal theories underlying these other claims of ac- tion, the FTC can regulate with a much different and more flexible under- standing of harm than one focused on monetary or physical injury. Thus far, the FTC has been quite modest in its enforcement, focusing on the most egregious offenders and enforcing the most widespread industry norms. Yet the FTC can and should push the development of norms a little more (though not in an extreme or aggressive way). We discuss steps the FTC should take to change the way it exercises its power, such as with greater trans- parency and more nuanced sanctioning and auditing. * Associate Professor, Cumberland School of Law at Samford University; Affiliate Scholar, The Center for Internet and Society at Stanford Law School. The authors would like to thank Howard Beales, Danielle Citron, James Cooper, Chris Hoofnagle, Gus Hurwitz, William Kovacic, Geoff Manne, Mark McKenna, Maureen Ohlhausen, Paul Ohm, Lydia Parnes, Berin Szoka, Jay Tidmarsh, David Vladeck, Stephen Yelderman, the faculty at the University of Notre Dame Law School, participants of the Sixth Annual Privacy Law Scholars Conference, and the participants of the Research Roundtable on the Future of Privacy & Data Security Regulation hosted by the Law and Economics Center at George Mason University School of Law. The authors would like to thank the Law and Economics Center at George Mason University School of Law for its support of this research. ** John Marshall Harlan Research Professor of Law, The George Washington University Law School. November 2015 Vol. 83 No. 6 2230 \\jciprod01\productn\G\GWN\83-6\GWN614.txt unknown Seq: 2 5-JAN-16 12:13 2015] THE SCOPE AND POTENTIAL OF FTC DATA PROTECTION 2231 TABLE OF CONTENTS INTRODUCTION ................................................. 2231 R I. THE BOUNDARIES OF FTC POWER ..................... 2235 R A. The Critiques of the FTC’s Data Protection Authority ........................................... 2237 R B. The Scope of FTC Authority ........................ 2246 R 1. The Broad Concepts of Deception and Unfairness ...................................... 2246 R 2. Overlapping Domains .......................... 2251 R 3. Adequate Notice and the Gradual Development of Rules ........................................ 2257 R II. DEFINING THE FTC’S ROLE IN DATA PROTECTION ..... 2265 R A. Linchpin of U.S. Data Protection Law .............. 2267 R B. Toward a More Expansive FTC Role in Data Protection ........................................... 2271 R 1. An Emergent Data Protection Authority ....... 2271 R 2. The FTC’s Diverse Toolkit ..................... 2276 R a. Redress for Nontraditional Forms of Harm . 2277 R b. Balancing that Accounts for Larger Societal Interests ..................................... 2283 R c. Ameliorating Privacy Harms from Institutional Bargaining ..................... 2284 R III. THE LIMITS OF FTC POWER AND ESSENTIAL IMPROVEMENTS ......................................... 2289 R A. The Limits of Section 5 Authority ................... 2289 R B. The Appropriate Level of Restraint ................. 2291 R C. Areas for Improvement ............................. 2294 R CONCLUSION ................................................... 2299 R INTRODUCTION For more than fifteen years, the Federal Trade Commission (“FTC”) has regulated privacy and data security through its authority to police deceptive and unfair trade practices as well as through pow- ers conferred by specific statutes and international agreements. Throughout most of this time, the FTC’s power to regulate privacy and data security went unchallenged—until quite recently. In FTC v. Wyndham Worldwide Corp.,1 a hotel chain challenged the FTC’s au- 1 FTC v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602 (D.N.J. 2014), aff’d, 799 F.3d 236 (3d Cir. 2015). \\jciprod01\productn\G\GWN\83-6\GWN614.txt unknown Seq: 3 5-JAN-16 12:13 2232 THE GEORGE WASHINGTON LAW REVIEW [Vol. 83:2230 thority to regulate data security practices.2 In LabMD, Inc.,3 a medi- cal diagnostics company raised a similar challenge.4 These recent cases raise a fundamental issue, and one that has surprisingly not been well explored: How broad are the FTC’s privacy and data security regulatory powers? How broad should they be? In this Article, we address the scope of the FTC’s authority over privacy and data security, two related areas that together we will refer to as “data protection.” We argue that the FTC not only has the au- thority to regulate data protection to the extent it has been doing, but that it also has the authority to expand its reach much more. Norma- tively, we argue that the FTC’s current scope of data protection au- thority is essential to the U.S. data protection regime and should be fully embraced to respond to the privacy harms unaddressed by ex- isting torts, contracts, and statutes. In Part I, we discuss the legal boundaries of the FTC’s data pro- tection authority. We explore arguments made by critics of the FTC’s data protection regulation that the FTC has been overstepping its au- thority in this domain. We respond by contending that the FTC’s data protection authority is broad because it emerges from Section 5 of the Federal Trade Commission Act of 1914 (“FTC Act”),5 which has an intentionally broad scope. Critics contend that the FTC is engaging in a form of rulemaking in this area where it lacks meaningful rulemaking authority. Worse still, the critics argue, the FTC is attempting to enforce these “rules” without articulating them clearly, and thus failing to provide adequate notice about them. We argue that any time a broad standard is inter- preted over time in a case-by-case adjudicatory manner, with an at- tempt to interpret consistently and treat prior decisions as having precedential value, the result will be the gradual calcification of the standard into a more rule-like structure. The FTC is not exceeding its authority because this developmental pattern is practically inevitable. We also argue that, contrary to the critics’ contentions, the FTC has generally been quite clear and consistent in its approach. For ex- 2 Id. at 607; see also First Amended Complaint for Injunctive & Other Equitable Relief at 2, Wyndham, 10 F. Supp. 3d 602 (No. CV 12-1365-PHX-PGR) [hereinafter Wyndham Com- plaint]; Julie Sartain, Analyzing FTC v. Wyndham, INT’L ASS’N PRIVACY PROFESSIONALS (Oct. 5, 2012), https://privacyassociation.org/news/a/2012-10-11-analyzing-ftc-vs.-wyndham/. 3 Complaint, LabMD, Inc., FTC File No. 102-3099, 2013 WL 5232775 (F.T.C. Aug. 28, 2013) [hereinafter LabMD Complaint]. 4 See Respondent LabMD, Inc.’s Answer & Defenses to Admin. Complaint at 6, LabMD, Inc., 2013 WL 5348553, at *3. 5 Federal Trade Commission (FTC) Act of 1914 § 5, 15 U.S.C. § 45 (2012). \\jciprod01\productn\G\GWN\83-6\GWN614.txt unknown Seq: 4 5-JAN-16 12:13 2015] THE SCOPE AND POTENTIAL OF FTC DATA PROTECTION 2233 ample, the FTC has based its data security jurisprudence on industry standards and a reasonableness requirement instead of specific and rigid rules. Such an approach is more conservative than the FTC promulgating a set of standards all at once in a nonincremental man- ner. The standards evolve in a common-law-like fashion, a develop- mental pattern typified by incremental change and adherence to precedent, consistency in decisions, and case-by-case adjudication over time. In fact, if this pattern were not present, then the FTC would be acting inconsistently, ignoring previous actions, or reaching too far beyond particular cases. Critics have also argued that the FTC’s authority cannot overlap with that of other agencies, which it does in a number of instances. We contend that Section 5 will inevitably overlap with other statutes and regulatory domains, that the FTC routinely shares authority with other administrative agencies, and that such overlap is manageable. In Part II, we turn to the normative issues regarding the scope of the FTC’s data protection authority. We contend that the FTC cur- rently serves as an essential linchpin in the U.S. data protection regu- latory regime. The U.S. privacy regulatory landscape developed as an amalgamation of various federal and state laws along with a signifi- cant amount of self-regulation. The FTC has made the self-regulation significantly more meaningful through its enforcement of the promises companies make about the way they collect, use, and protect data. The FTC has filled gaps when a number of large industries have not been regulated by federal data protection statutes. In many instances, the FTC is the only regulator with the resources to enforce necessary protections like data security.